From 7b4b3360a6f80e42c40ecc6398b8d12c31478c7e Mon Sep 17 00:00:00 2001 From: Juiced66 Date: Tue, 15 Oct 2024 09:56:38 +0200 Subject: [PATCH] docs: add warning for security concerns on deploying in prod with custom secret --- .../getting-started/deploy-your-application/index.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/2/guides/getting-started/deploy-your-application/index.md b/doc/2/guides/getting-started/deploy-your-application/index.md index 48b44c29a0..c9da850166 100644 --- a/doc/2/guides/getting-started/deploy-your-application/index.md +++ b/doc/2/guides/getting-started/deploy-your-application/index.md @@ -48,6 +48,18 @@ This deployment does not use any SSL encryption (HTTPS). A production deployment must include a reverse proxy to securize the connection with SSL. ::: +::: warning +#### Production Deployment: Auth Token Secret + +For every production deployment of Kuzzle, it is essential to set the kuzzle_security__authToken__secret environment variable. This ensures that the JWT secrets used for authenticating requests are generated externally and not stored in Elasticsearch. By managing the secret through an environment variable, you enhance security, prevent potential data exposure, and ensure tokens remain valid only as long as the secret remains unchanged. + +Important: If the `kuzzle_security__authToken__secret` value is changed when Kuzzle restarts, all existing tokens will be invalidated. This ensures that only tokens signed with the current secret remain valid, adding an extra layer of security. + +For default configuration values, you can refer to [the sample Kuzzle configuration file](https://github.com/kuzzleio/kuzzle/blob/master/.kuzzlerc.sample.jsonc). + +Note: If the secret is not set, Kuzzle will fallback to a less secure method of generating and storing the secret, which is not recommended for production environments. +::: + ## Prepare our Docker Compose deployment We are going to write a `docker-compose.yml` file that describes our services.